NetIQ Documentation: NetIQ Cloud Manager 2.3 Product Overview - Hybrid Cloud

4.3 Hybrid Cloud

A hybrid cloud environment is similar to a public cloud environment because it is operated by a service provider. However, the resources available to a consuming organization (such as applications and storage) are a mix of resources owned by the service provider and resources owned by the organization itself.

In Cloud Manager, a hybrid cloud is implemented by using an on-premise zone. The Cloud Manager Application Server runs on the computing infrastructure of the service provider, while the Cloud Manager Orchestration Server that manages the resources of the consuming organization runs on the computing infrastructure of that organization. Tunneling or a VPN is necessary to establish the communication path between the Cloud Manager Application Server and the on-premise Cloud Manager Orchestration Server and the virtual infrastructure.

The following diagram illustrates the basic components you should consider as integral if you plan to allow an external service provider to use Cloud Manager to administer the on-premise virtual resources of your organization.

Figure 4-3 Cloud Manager components in a hybrid cloud configuration

There are several deployment considerations in a Cloud Manager hybrid cloud structure:

Access to virtual machine consoles is provided by the Cloud Manager Application Server Console (a Web-based interface).
A reverse proxy (e.g. NetIQ Access Manager) takes care of the SSL endpoint work and redirects from port 80/443 to port 8183 on the Cloud Manager Application Server.
The external firewall must allow incoming connections to the reverse proxy on port 80/443 and on the remote console port (a high port between 8000 and 65535, as configured in Cloud Manager). Alternatively the remote console port can be tunneled through the reverse proxy.
In the service providers infrastructure and in the on-premise organization infrastructure, Cloud Manager must have access to the ports that expose workload consoles on the hypervisors. For VMware 5.x, these are ports 50000-50999.

You should set up either have server-to-server VPN networking or tunneling that is activated to the on-premise organization infrastructure.
The minimum bandwidth requirements for efficient remote management (including a remote console session) is 16 MB. Without a remote console session, the requirement is 1 MB.
Responsibility for template management, storage and resource pooling is owned by the service provider and by the organization, respectively, in their separate infrastructures. All workload templates must reside on the infrastructure where their corresponding virtual machines run: templates can only be consumed only in the infrastructure where they reside (service provider or organization).
Administrative functions are separated between the service provider and the consuming organizations. The service provider (whose administrative rights can be directly assigned or delegated) maintains and operates the Cloud Manager infrastructure (including such things as template management, storage, and resource pooling) while the organizations paying for services use the Cloud Manager Application Server Console to manage a VM’s lifecycle (including change requests).
Operational tasks in the cloud environment as a whole are the responsibility of the service provider. The paying organization consumes that infrastructure, which also encompasses the resources of the customer’s own on-prem zone. The organization’s activity in the cloud would typically include VM lifecycle operations, including change requests.
Administrative responsibilities such as template management, storage, and resource pooling are separately executed by the service provider or the organization, depending on the infrastructure involved. Workload templates can only be consumed in the infrastructure (that is, the Cloud Manager zone) where they reside. The administrative role can be directly assigned or delegated.